You are browsing the archive for File Formats ZOO.

Enlightened and Unenlightened PE files

April 2, 2018 in File Formats ZOO

If you thought that the world of the PE files cannot get even more confusing I have some news for you: some of the PE files can be enlightened.

I came across enlightened files by looking at the Windows 10 files – what caught my attention was this resource inside the Notepad on Windows 10:

I have never seen it before so quick google search followed. Despite the fact this particular resource type/name is not a topic that was much discussed on the internet I quickly discovered this presentation from 2016.

On a slide 37 it states:

Declare your app enlightened (Win32)

Add these entries to resources.rc

MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID
BEGIN
0x0001
END

MICROSOFTEDPPERMISSIVEAPPINFO EDPPERMISSIVEAPPINFOID
BEGIN
0x0001
END

A-ha!

Okay.

But what does it do/mean?

Turns out this is a part of Windows  Information Protection (WIP) initiative that focuses on supporting application management within Enterprise and covers both Mobile and Desktop devices. It enforces certain privacy rules on applications including data access and transfer between managed and unmanaged apps. The Enterprise enlightened apps are these that follow strict policies and protect data by design. They are able to distinguish between the personal and company data and protect (or not) it accordingly. From what I understood so far, in the proposed model the data is tagged and its use is guarded by policies associated with tags. This is actually pretty cool. Apps can then get a native support from OS that will enforce certain rules e.g. can block screen capture, clipboard and any other form of data exchange.

There is more information here. The article actually puts Notepad on the List of enlightened Microsoft apps.

So, if you see these resources it simply means that the program was designed with WIP in mind. I am still wondering how this can be verified (since anyone can add these resources during the compilation time, right?). Also, from what I have read about WIP – ‘Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.’. This is pretty interesting if the encryption is ‘by default’. I wonder how will it affect malware behavior and artifacts (not perfectly clear how the encryption is applied an on what level; will e.g. keylog files written by an unenlightened app /e.g. malicious code injected into Notepad?/ be somehow encrypted? will registry data be encrypted?).

If anyone experimented with this, and/r researched it more in-depth I’d appreciate a follow-up.

DeXRAY 2.05 update

January 26, 2018 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Software Releases

If there is one proof that online collaboration works it is DeXRAY. Since the tool was first released it received quite a bit of attention from the DFIR community. Every once in a while I get not only a positive feedback from the users, but also very important contributing ideas and code offered by security researchers and professionals.

This release is not different.

A few days ago I was pinged by Luis Rocha (@countuponsec) who generously offered his insight and results of his and Antonio Monaca’s research on Kaspersky’s System Watcher feature (available in KES10) that quarantines files in the following location:

  • C:\ProgramData\Kaspersky Lab\KES10\SysWHist\file_cache\<md5>.bin

Luis discovered that the files are encrypted with a static XOR key 397b4d58c9397b4d58c9.

Based on his research I have quickly implemented a routine in Dexray to decrypt these files.

Thanks Luis and Antonio!

You can download the latest version here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ, System Watcher’s <md5>.bin)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA) – 2 versions
  • MalwareBytes Quarantine files (QUAR) – 2 versions
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)